How social engineering tricked Wal-Mart into handing over sensitive information

WalmartWal-Mart pretty much sliced itself open and spilled its guts onto the scammer’s lap.

In this year’s Capture the Flag social engineering contest at Defcon, champion Shane MacDougall used good lying, a lucrative (albeit bogus) government contract, and his talent for self-effacing small talk to squeeze the following information out of Wal-Mart:

  • The small-town Canadian Wal-Mart store’s janitorial contractor,
  • Its cafeteria food-services provider,
  • Its employee pay cycle,
  • Its staff shift schedules,
  • The time managers take their breaks,
  • Where they usually go for lunch,
  • Type of PC used by the manager,
  • Make and version numbers of the computer’s operating system, and
  • Its Web browser and antivirus software.

DefconReporting from the Las Vegas show, which wrapped up a few weeks ago, Stacy Cowley at CNNMoney wrote up the details of how Wal-Mart got taken in to the extent of coughing up so much scam-worthy treasure.

Calling from his sound-proofed booth at Defcon MacDougall placed an “urgent” call – broadcast to the entire Defcon audience – to a Wal-Mart store manager in Canada, introducing himself as “Gary Darnell” from Wal-Mart’s home office in Bentonville, Ark.

The role-playing visher (vishing being phone-based phishing) told the manager that Wal-Mart was looking at the possibility of winning a multimillion-dollar government contract.

“Darnell” said that his job was to visit a few Wal-Mart stores that had been chosen as potential pilot locations.

But first, he told the store manager, he needed a thorough picture of how the store operated.

Walmart. Image from Shutterstock

In the conversation, which lasted about 10 minutes, “Darnell” described himself as a newly hired manager of government logistics.

He also spoke offhand about the contract: “All I know is Wal-Mart can make a ton of cash off it,” he said, then went on to talk about his upcoming visit, keeping up a “steady patter” about the project and life in Bentonville, Crowley writes.

As if this wasn’t bad enough, MacDougall/Darnell directed the manager to an external site to fill out a survey in preparation for his upcoming visit.

The compliant manager obliged, plugging the address into his browser.

When his computer blocked the connection, MacDougall didn’t miss a beat, telling the manager that he’d call the IT department and get the site unlocked.

After ending the call, stepping out of the booth and accepting his well-earned applause, MacDougall became the first Capture the Flag champion to capture every data point, or flag, on the competition checklist in the three years it’s been held at Defcon.

Defcon gives contestants two weeks to research their targets. Touchy information such as social security numbers and credit card numbers are verboten, given that Defcon has no great desire to bring the law down on its head.

Defcon also keeps its nose clean by abstaining from recording the calls, which is against Nevada law.

However, there’s no law against broadcasting calls live to an audience, which makes it legal for the Defcon audience to have listened as MacDougall pulled down Wal-Mart’s pants.

Man vs Woman, courtesy of ShutterstockOne interesting thing to note: this year’s contest took on a battle of the sexes theme, with 10 male and 10 female contestants vying to capture the flag.

Are men better at weaseling information out of people and at lying? Crowley quoted one female contestant who folded under the guilt of lying, saying she “just couldn’t do it.”

From her writeup:

Some contestants got nowhere with their calls, especially when they posed as outside marketers or researchers. Others froze up when they got a live human being on the line.

One first-time contestant landed a receptive HR representative, only to visibly collapse with guilt. She signaled the tech crew to cut the line.

"I just couldn't do it," she said afterward. "I'm an honest person. I didn't realize it would feel so wrong to sit there lying."

But while females might have more compunction than males about duping others, they’re actually better at sniffing out a con.

Back in May, Chris Hadnagy of, which sponsors the annual Capture the Flag contest, told Threatpost’s Paul Roberts that female employees at targeted companies were less likely to fall for social engineering ruses than their male counterparts:

"Every time we get a woman on the phone as a target, she does better than the guys. She's more paranoid, and answers fewer questions. Her 'phish' meter goes up quicker and she hangs up."

Its anecdotal, but it’s interesting.

In “Brain Sex: The real difference between men and women”, a book about the physiological differences between the genders’ brains, Anne Moir and David Jessel write that from the fetus’s development in the womb, female brains are organised to respond more sensitively to all sensory stimuli, most particularly verbal/aural:

Girls and women hear better than men. When the sexes are compared, women show a greater sensitivity to sound. The dripping tap will get the woman out of bed before the man has even woken up. Six times as many girls as boys can sing in tune. They are also much more adept at noticing small changes in volume, which goes some way to explaining women's superior sensitivity to that 'tone of voice' which their male partners are so often accused of adopting.

What’s an organisation to do to protect against getting vished so thoroughly like Wal-Mart?

Person dialling phone number, courtesy of ShutterstockWill it be technology like the kind Fujitsu’s putting into field trials this month: phone scam detection technology that analyses voice intonation and recognises typical words used by scammers?

Or could we perhaps turn around Defcon’s “battle of the sexes” and turn it into “cooperation of the sexes?”

In other words, perhaps organisations should rely more on women’s inherent strengths at parsing spoken language to detect scams.

Wal-Mart spokesman Dan Fogleman told CNNMoney that the company was “disappointed [that] some basic information was shared” and that it would be mulling over what it should learn from the incident:

When you're in the customer service business, sometimes our people can be a bit too helpful, as was the case here. We emphasize techniques to avoid social engineering attacks in our training programs. We will be looking carefully at what took place and learn all we can from it in order to better protect our business.

Should one lesson for Wal-Mart and other organisations be that women should be conducting the anti-scam workshops?

Let us know your thoughts in the comments section below, and please don’t hate on me for emphasising the gender aspects of this interesting lesson in phone scams.

It was Defcon who set it up as a battles of the sexes, not me.

Man and woman arm-wrestling, dialling phone number and Wal-Mart images from Shutterstock.